b'GENERAL SERVICES ADMINISTRATION\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n          REVIEW OF THE IMPLEMENTATION\n              OF HOMELAND SECURITY\n            PRESIDENTIAL DIRECTIVE 12\n         REPORT NUMBER A060195/O/R/F07013\n                  August 13, 2007\n\x0c\x0c                   REVIEW OF THE IMPLEMENTATION\n                       OF HOMELAND SECURITY\n                     PRESIDENTIAL DIRECTIVE 12\n                  REPORT NUMBER A060195/O/R/F07013\n\n\n                           TABLE OF CONTENTS\n\n                                                                 PAGE\n\nEXECUTIVE SUMMARY                                                  i\n\nINTRODUCTION                                                      1\n\n     Background                                                   1\n\n     Objective, Scope, and Methodology                            2\n\nRESULTS OF AUDIT                                                  4\n\n     GSA Has Been Moving Forward in Implementing HSPD-12\n     Requirements                                                 4\n\n     Lack of a HSPD-12 Service Contractor Hinders GSA\xe2\x80\x99s\n     Ability to Meet OMB\xe2\x80\x99s October 27, 2007 Deadline              6\n\n     Additional Obstacles Impacting GSA\xe2\x80\x99s Ability to Implement\n     HSPD-12                                                      8\n\nCONCLUSION                                                        10\n\nRECOMMENDATIONS                                                   11\n\nMANAGEMENT COMMENTS                                               11\n\nMANAGEMENT CONTROLS                                               11\n\nAPPENDICES\n\n     Management\xe2\x80\x99s Response to the Draft Report                   A-1\n\n     Report Distribution                                         B-1\n\x0c                    REVIEW OF THE IMPLEMENTATION\n                        OF HOMELAND SECURITY\n                      PRESIDENTIAL DIRECTIVE 12\n                   REPORT NUMBER A060195/O/R/F07013\n\nEXECUTIVE SUMMARY\n\nPurpose\n\nThe objective of this review was to analyze whether actions underway are\nadequate to meet Office of Management and Budget (OMB) requirements and\ntimeframes for the implementation of Homeland Security Presidential Directive\n12 (HSPD-12) in accordance with Federal Information Processing Standard\nPublication 201 (FIPS 201), and if not, what corrective actions are needed.\n\nBackground\n\nOn August 27, 2004, President George W. Bush issued HSPD-12, which\nmandates the establishment of a common standard for identification credentials\nto be utilized by all Federal employees and contractors to gain physical and\nlogical access to Federally controlled facilities and information systems. On\nFebruary 25, 2005, the National Institute of Standards and Technology (NIST)\npublished FIPS 201, Personal Identity Verification (PIV) of Federal Employees\nand Contractors. FIPS 201 consists of two parts; the standards in PIV I support\nthe control objectives and security requirements described in HSPD-12. The PIV\nII standards support the technical interoperability requirements described in\nHSPD-12 and specifies standards for implementing smart cards as identity\ncredentials for use in the PIV system, including the collection, storage, and\nmanagement of documentation needed to authenticate an individual\xe2\x80\x99s identity.\nOn August 5, 2005, OMB issued a memorandum, \xe2\x80\x9cImplementation of Homeland\nSecurity Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification\nStandard for Federal Employees and Contractors\xe2\x80\x9d (M-05-24), which set\ndeadlines for HSPD-12 implementation. The first major deadline, October 27,\n2005, required all agencies to establish control objectives and a common identity\nproofing process, as well as the registration and issuance process, and security\ncontrols. The subsequent deadline of October 27, 2006, required all agencies to\nbegin the issuance of PIV II compliant credentials. Upcoming deadlines, falling\non October 27, 2007 and October 27, 2008, require agencies to complete\nbackground investigations and issue PIV cards to all contractors and employees\nwith fifteen years or less Federal service and those employees with greater than\nfifteen years of service, respectively.\n\nThe GSA HSPD-12 Project Management Office (PMO) of the Office of the Chief\nInformation Officer was created to manage GSA\xe2\x80\x99s implementation of HSPD-12.\nIn addition to the PMO, the GSA Federal Acquisition Service launched the\n\n\n                                        i\n\x0cHSPD-12 Managed Service Office (MSO) to utilize competitively selected\ncontract vehicles to provide all project, acquisition, and financial management\nnecessary for GSA\xe2\x80\x99s customer agencies to satisfy the requirements of OMB\nM-05-24.\n\nResults in Brief\n\nGSA has met OMB\xe2\x80\x99s first two deadlines requiring issuance of operating\nprocedures by October 27, 2005, and the production of a PIV II compliant card by\nOctober 27, 2006. GSA is also continuing to move forward in such aspects of\nHSPD-12 implementation as processing employee and contractor background\ninvestigations, developing plans for logical and physical access, and updating its\ngeneral HSPD-12 policies. However, GSA will likely not meet OMB\xe2\x80\x99s October 27,\n2007 deadline that requires the issuance of PIV II compliant cards to all\ncontractors and employees with 15 years or less of service due to the late award\nof a MSO Service contractor and the limited PIV card production capability of that\ncontractor by the deadline. In addition to the MSO Service contractor currently\nbeing inoperative, GSA is faced with other obstacles affecting its ability to\nimplement HSPD-12.         These include the lack of a detailed HSPD-12\nimplementation plan and the absence of a centralized database capturing GSA-\nwide contractor information.\n\nRecommendations\n\nTo remedy the situation, the OCIO needs to address factors that will impact its\neffectiveness in implementing HSPD-12. These steps include having the PMO\nmanager and HSPD-12 stakeholders work together to establish a detailed\nimplementation plan outlining how GSA plans to implement HSPD-12 in its\nentirety and establishing a contractor identity management system, while\nexpediting background investigations for embedded contractors.\n\n\n\n\n                                        ii\n\x0c                         Review of the Implementation\n                             of Homeland Security\n                           Presidential Directive 12\n                      Report Number A060195/O/R/F07013\n\n\nIntroduction\n\nBackground\n\nOn August 27, 2004, President George W. Bush issued Homeland Security\nPresidential Directive 12 (HSPD-12), Policy for a Common Identification\nStandard for Federal Employees and Contractors. HSPD-12 mandates the\nestablishment of a common standard for identification credentials to be utilized\nby all Federal employees and contractors to gain physical and logical access to\nFederally controlled facilities and information systems. This directive is intended\nto enhance security, reduce identity fraud, increase the efficiency of identity\nproofing and verification, and protect the personal privacy of those issued\ngovernment credentials.\n\nThe Department of Commerce and the National Institute of Standards and\nTechnology (NIST) were tasked with publishing a definition for common\nidentification standards required by HSPD-12. On February 25, 2005, NIST\npublished Federal Information Processing Standards Publication 201 (FIPS 201),\nPersonal Identity Verification (PIV) of Federal Employees and Contractors. The\nstandards required by HSPD-12 are made tangible in the form of a PIV card that\nadheres to the specifications defined in FIPS 201 and is to be used for both\nphysical and logical access control, as well as any other agency-specific\napplications. FIPS 201 consists of two parts; the standards in PIV I support the\ncontrol objectives and security requirements described in HSPD-12. The PIV II\nstandards support the technical interoperability requirements described in HSPD\n-12 and specifies standards for implementing smart cards as identity credentials\nfor use in the PIV system, including the collection, storage, and management of\ndocumentation needed to authenticate an individual\xe2\x80\x99s identity.\n\nHSPD-12 requires Federal credentials to be secure and reliable, which is defined\nas a credential that: is issued based on sound criteria for verifying an individual\xe2\x80\x99s\nidentity; is strongly resistant to identity fraud, tampering, counterfeiting, and\nterrorist exploitation; can be rapidly authenticated electronically; and is issued\nonly by providers whose reliability has been established by an official\naccreditation process. The primary requirements for an agency to implement\nHSPD-12 are to revise the identity proofing and card issuance process of the\nagency to meet FIPS 201 requirements. FIPS 201 requirements include the\nissuance of an identity credential that utilizes smart card technology (both contact\nand contactless), and incorporates a standardized Card Holder Unique Identifier\n(CHUID), digital credentials, and biometric templates.\n\n\n\n                                         1\n\x0cThe major milestones for HSPD-12 implementation are outlined in Office of\nManagement and Budget (OMB) memorandum \xe2\x80\x9cImplementation of Homeland\nSecurity Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification\nStandard for Federal Employees and Contractors\xe2\x80\x9d (M-05-24), dated August 5,\n2005. The first major deadline, October 27, 2005, required all agencies to\nestablish control objectives and a common identity proofing process, as well as\nthe registration and issuance process, and security controls. The subsequent\ndeadline of October 27, 2006, required all agencies to begin the issuance of PIV\nII compliant credentials. The upcoming OMB deadline of October 27, 2007,\nrequires agencies to issue PIV cards to all contractors and employees with 15\nyears or less of Federal service after a successful fingerprint check and a\nbackground investigation is started or complete. The final OMB deadline of\nOctober 27, 2008, requires agencies to issue PIV cards to all employees with\ngreater than 15 years of Federal service after a successful fingerprint check and\na background investigation is started or complete.\n\nThe General Services Administration (GSA) HSPD-12 Program Management\nOffice (PMO) of the Office of the Chief Information Officer was created to develop\nthe PIV system architecture, as well as perform analysis of access controls,\ncoordinate training and communication, provide transition plans from the old\ncredentialing system to the PIV system, and to assume responsibility for GSA\xe2\x80\x99s\ninternal credentialing.\n\nThe GSA Federal Acquisition Service launched the HSPD-12 Managed Service\nOffice (MSO) in response to HSPD-12. The MSO\xe2\x80\x99s mission is to utilize\ncompetitively selected contract vehicles to provide all project, acquisition, and\nfinancial management necessary for GSA\xe2\x80\x99s customer agencies to satisfy the\nrequirements of OMB M-05-24. Although the MSO is not a mandatory source of\nsupply, it was established to provide centralized shared services for contributing\nagencies who wish to take advantage of the cost savings and efficiencies\nrealized from establishing a common, government-wide shared services platform.\n\nObjective, Scope, and Methodology\n\nThe audit objective was to analyze whether actions underway are adequate to\nmeet OMB requirements and timeframes for the implementation of HSPD-12 in\naccordance with FIPS 201, and if not, what corrective actions are needed.\n\nTo accomplish this audit objective we performed fieldwork primarily in the\nNational Office. During fieldwork, we performed the following tasks:\n\n\xe2\x88\x97   Obtained background information including: OMB memorandums, NIST\n    publications, prior Government Accountability Office and GSA Office of\n    Inspector General audit reports.\n\xe2\x88\x97   Analyzed numerous GSA documents generated through the HSPD-12 PMO,\n    the MSO, Office of Acquisition Policy, and Public Buildings Service (PBS)\n\n\n                                        2\n\x0c    such as; HSPD-12 Standard Operating Procedures, HSPD-12 Draft\n    Informational Letter, PMO Business Plan and the HSPD-12 Implementation\n    Overview.\n\xe2\x88\x97   Held discussions with officials in the HSPD-12 PMO, the MSO, PBS, and the\n    Office of the Chief Human Capital Officer (CHCO).\n\xe2\x88\x97   Discussed the current use of building access systems and the planned\n    transition to PIV II compliant access systems with regional credentialing\n    officers.\n\xe2\x88\x97   Analyzed a Memorandum of Understanding (MOU) between the PMO and\n    MSO for management and service support for PIV credentials through a\n    shared service solution.\n\xe2\x88\x97   Analyzed a Memorandum of Agreement between GSA and the Department of\n    Homeland Security for background investigation services.\n\xe2\x88\x97   Analyzed HSPD-12 contracting language and the MSO Request for\n    Quotations.\n\xe2\x88\x97   Observed the enrollment process at the MSO registration station in the\n    National Capital Region.\n\xe2\x88\x97   Reviewed the bi-weekly HSPD-12 Stakeholders Meeting Minutes and the\n    monthly HSPD-12 Program Management Updates.\n\nThe audit work was conducted from November 2006 to March 2007. The\nfieldwork primarily focused on the operations of the PMO office. A review of\nmanagement controls was not performed due to the limited number of PIV II\ncompliant cards currently issued. It is planned that testing of management\ncontrols will be conducted in a subsequent review when the new MSO contractor\nhas been established.\n\nThe audit was performed in accordance with generally accepted government\nauditing standards.\n\n\n\n\n                                      3\n\x0cResults of Audit\n\nThe General Services Administration (GSA) has been moving forward in its\nefforts to implement aspects of Homeland Security Presidential Directive 12\n(HSPD-12) and Federal Information Processing Standards Publication 201 (FIPS\n201), Personal Identity Verification (PIV) of Federal Employees and Contractors,\nby ensuring that it meets background investigation processing requirements and\ndeveloping supplemental agency policy to meet the new requirements. In\naddition, GSA is beginning to develop plans on how it will utilize the PIV cards for\nlogical and physical access.\n\nGSA has met the Office of Management and Budget\xe2\x80\x99s (OMB) first two deadlines\nrequiring agencies to establish an identity proofing and registration process\nmeeting the control objectives in FIPS 201 by October 27, 2005, and to begin\ndeploying PIV II compliant cards by October 27, 2006. However, it is unlikely\nGSA will meet the October 27, 2007 deadline requiring the issuance of PIV II\ncompliant cards to all contractors, and to all employees with 15 years or less of\nservice. As of March 1, 2007, GSA had only issued 71 PIV II cards and since the\ncontract vehicle for the PIV II cards has been recompeted, GSA will most likely\nbe unable to obtain the required number of PIV II cards by the October 27, 2007\ndeadline.\n\nGSA needs to address additional factors that will impact its effectiveness in\nimplementing HSPD-12 including the lack of a detailed HSPD-12 implementation\nplan and absence of a centralized database capturing GSA-wide contractor\ninformation.\n\nGSA Has Been Moving Forward in Implementing HSPD-12 Requirements\n\nGSA has been moving forward in its efforts to implement aspects of HSPD-12\nand FIPS 201. It has been ensuring that it meets background investigation\nprocessing requirements and developing supplemental agency policy to meet the\nnew requirements. In addition, GSA is beginning to develop plans on how it will\nutilize the PIV cards for logical and physical access.\n\nTo meet the background processing requirements of HSPD-12 and FIPS 201,\nGSA has established standard operating procedures for personal identity\nverification and has been working to ensure all required background\ninvestigations are performed. As of October 17, 2005, GSA adopted new\nstandard operating procedures for personnel security. According to this policy,\nbefore a new associate or contractor is issued an identity credential, the agency\nmust initiate a National Agency Check with Written Inquiries (NACI), and\nfavorable results must be received from the FBI National Criminal History Check\n(fingerprint check). Once a favorable fingerprint check is received a PIV II card\ncan be issued and the user will have access to low impact applications such as\ndesktop applications, network access, email access, and home directory access.\n\n\n                                         4\n\x0cWhen a favorable NACI is received and is adjudicated, a process often taking 2\nto 3 months, the user will gain access to GSA moderate impact applications that\nmay contain privacy act information.\n\nGSA has also been working to ensure all required background investigations will\nbe performed. The GSA Personnel Security Requirements Division (Division)\nwithin the Office of the Chief Human Capital Officer is primarily responsible for\nthe direction, guidance, and interpretation of HSPD-12 and FIPS 201 background\ninvestigation requirements. As of March 2007, the Division has identified a\npossible 716 GSA employees and the PMO identified an estimated 63,000\nembedded and PBS contractors that may need background investigations to\nmeet OMB\xe2\x80\x99s October 27, 2007 deadline. The Division is working to complete all\nfingerprint checks and start the NACI investigations for GSA employees before\nOctober 27, 2007, as required. To assist in processing background clearances\nfor contractors, GSA has entered into a Memorandum of Agreement with the\nDepartment of Homeland Security, Federal Protective Service, to provide\nbackground investigations and suitability determinations.\n\nGSA has also been developing supplemental policies to meet HSPD -12\nrequirements. On April 12, 2007, GSA issued Standard Operating Procedures\nfor HSPD-12 Personal Identity Verification and Credentialing. Additionally, it is\ncurrently drafting the GSA HSPD-12 PIV Informational Letter to supplement\ninstructions contained in other GSA policy documents1. These documents\nprovide guidance on many aspects of GSA\xe2\x80\x99s implementation of HSPD-12\nincluding the HSPD-12 Investigation and Adjudication Process, PIV Credentialing\nProcedures, System and Network Security Access, and Physical Access to GSA-\nControlled Facilities. Currently, the Informational Letter is in a draft state with\nvarying degrees of completeness. There is no firm date on when this document\nwill become the official policy of GSA.\n\nFinally, GSA has begun to develop plans on how it will utilize the PIV cards for\nlogical and physical access. GSA efforts to implement logical access using the\nPIV II cards have been influenced by OMB memorandum \xe2\x80\x9cProtection of Sensitive\nAgency Information\xe2\x80\x9d (M-06-16), which lists specific actions to be taken by\nFederal agencies for the protection of Personally Identifiable Information (PII).\nThe specific intent of OMB memo M-06-16 is to compensate for the protections\noffered by the physical security controls when information is removed from, or\naccessed from, outside of the agency location. GSA intends to use the PIV II\ncard to satisfy the directive\xe2\x80\x99s requirement of allowing remote access to PII with\ntwo-factor authentication where one of the factors is provided by a device\nseparated from the computer gaining access. GSA also intends to utilize the\ncapabilities of the card as a control for employees to log into their laptop and\ndesktop computers. The PMO is partnering with the Directory Services PMO to\n\n1\n These policies include GSA Handbook on Suitability and Personnel Security (ADM P 9732.1C);\nGSA Nationwide Credentials Handbook (ADM P7640.2); GSA Information Technology Security\nPolicy (CIO P 2100.1C); and the General Services Acquisition Manual.\n\n\n                                             5\n\x0cdevelop requirements for using the PIV II card for network and application\naccess, and will be conducting a pilot program for logical access using 50\nindividuals with PIV II cards.\n\nTo address physical access control systems to be used in GSA leased and\nowned buildings, the PMO has arranged for a contractor to conduct a survey to\ndetermine the kinds of physical access controls that are currently in place across\nthe approximately 9,000 buildings managed by GSA. This survey will result in an\nanalysis to determine an approach to update and/or replace physical access\ncontrol systems for GSA leased and owned buildings that are not HSPD-12\ncompliant. Once this is completed, the PMO will partner with the Public Buildings\nService (PBS) to develop a plan to implement compliant physical access systems\nin Federal buildings.2 Using a risk-based approach, PBS intends to issue policy\nregarding HSPD-12 responsibilities for access control procedures; including\nfunding and installation of physical access controls. Current guidance from the\nPBS Assistant Commissioner\xe2\x80\x99s office on card readers is that PBS will be\nresponsible for funding only in those locations where PBS is an occupant, and\nwill fund a prorated share along with the other building occupants. Building\nSecurity Committees will be responsible for determining building specific access\ncontrol procedures. PBS plans to model its policy upon the Interagency Security\nCommittee draft report of October 23, 2006, Physical Security System Migration\nStrategy Overview.\n\nLack of a HSPD-12 Service Contractor Hinders GSA\xe2\x80\x99s Ability to Meet OMB\xe2\x80\x99s\nOctober 27, 2007 Deadline\n\nGSA has met OMB\xe2\x80\x99s first two deadlines requiring agencies to establish an\nidentity proofing and registration process meeting the control objectives in FIPS\n201 by October 27, 2005, and to begin deploying PIV II compliant cards by\nOctober 27, 2006. However, it is unlikely GSA will meet the October 27, 2007\ndeadline requiring the issuance of PIV II compliant cards to all contractors and\nemployees with 15 years or less of service. As of March 1, 2007, GSA had only\nissued 71 PIV II compliant cards and since the contract vehicle for the PIV II\ncards has been recompeted, GSA will likely be unable to obtain the required\nnumber of PIV II cards by the October 27, 2007 deadline.\n\nIn September 2006, the decision was made that the PMO would obtain the PIV II\ncompliant cards through the GSA\xe2\x80\x99s Federal Acquisition Service (FAS) HSPD-12\nManaged Service Office (MSO). Accordingly, the Office of the Chief Information\nOfficer PMO entered into a Memorandum of Understanding (MOU) with the FAS\nMSO. Under the terms of this MOU, the MSO is responsible for providing end-to-\nend services, including enrollment processing, systems infrastructure, PKI\ncertificates, card production, issuance, and maintenance. These services were\nbeing provided through the MSO offering contract that was awarded in August\n\n2\n Currently, compliant solutions for access controls are limited and still undergoing development\nand certification.\n\n\n                                                6\n\x0c2006 to BearingPoint for $104 million over an initial contract period of six months\nand options to extend the contract for a total of five years. The MSO also\nestablished four pilot registration stations in Atlanta, Seattle, New York City and\nWashington, D.C.\n\nThe PMO met the October 27, 2006, deadline by issuing six PIV II compliant\ncards via the MSO contract. However, shortly after the MSO contractor\nproduced these PIV II compliant cards, FAS decided not to exercise the option\nunder the contract to extend the initial contract period beyond the initial 6-month\nterm. Since a change in contractor may create additional transition issues, GSA\nhas been reluctant to issue a large number of PIV II cards. As of March 1, 2007,\nGSA had issued a total of 71 PIV II compliant cards. Instead, GSA has been\nprimarily issuing legacy identification and credentials, such as the GSA Smart\nCard Credential, to new employees and contractors.\n\nOn January 12, 2007, GSA issued a solicitation requesting quotes for an offeror\nto provide end-to-end HSPD-12 services. The solicitation specifies that GSA FAS\nis offering services through this solicitation and subsequent contract as a shared\nservice solution to all Federal government agencies. The solicitation notes that\napproximately 40 agencies have executed agreements with GSA to obtain\nservices through this offering.3 This represents approximately 420,000 Federal\nemployees and offerors to be enrolled and issued credentials in the PIV Program\nthrough this vehicle. The contract was awarded on April 24, 2007; with roll out\nscheduled to begin July 2007. As part of the roll out, 225 enrollment stations are\nto be established nationwide by April 2008. These dates are predicated on a\ntrouble-free completion of the certification and accreditation process and the\nresolution of the May 1, 2007 protests of the contract award.\n\nThe FAS MSO currently estimates that they will be able to produce only 61,280\ncards by the October 27, 2007 deadline, and these must be allocated across the\n42 agencies with agreements with the MSO. However, GSA estimates that it\nalone requires approximately 67,110 PIV II credentials for approximately 4,110\nemployees with 15 years of service or less and 63,000 contractors requiring\ncredentials by the October 2007 deadline. Given these statistics, it is unlikely\nthat GSA will be able to meet OMB\xe2\x80\x99s October 27, 2007 deadline. While waiting\nfor the new MSO Service contractor to come on line, GSA plans to continue\nissuing non-compliant smart cards to its employees and contractors.\n\nAlso in abeyance until the new MSO Service contractor is fully functional is the\nessential HSPD-12 related training. Previously, role based training had been\navailable to applicable GSA employees through an on-line system. We have\nbeen advised that this training has been suspended until after the new MSO\ncontract has been awarded.\n\n\n3\n  As of April 2007, 42 agencies have executed agreements with GSA to obtain services through\nthis offering.\n\n\n                                              7\n\x0cAdditional Obstacles Impacting GSA\xe2\x80\x99s Ability to Implement HSPD-12\n\nWhile the MSO Service contractor limitations are a major impediment to GSA\xe2\x80\x99s\neffort to implement HSPD-12, other factors are also impacting implementation,\nsuch as the lengthy absence of a Program Manager for the HSPD-12 PMO, the\nneed for a detailed HSPD-12 implementation plan, and the absence of a\ncentralized database consolidating contractor information.\n\nPMO Program Manager Vacancy\n\nThe former Program Manager of the GSA HSPD-12 PMO retired unexpectedly\non January 3, 2007. Up until May 27 2007, the PMO continued with only an\nActing Program Manager coordinating GSA\xe2\x80\x99s efforts to implement HSPD-12. For\nthis five month period a permanent Program Manager was not in place to help\ncoordinate the major components of GSA\xe2\x80\x99s HSPD-12 program which includes\nthe acquisition of GSA Smart Cards from the MSO, physical access, logical\naccess, and the maintenance of legacy smart cards. Numerous GSA service\nand staff offices (SSO) are involved in developing these major components such\nas: Office of the Chief Information Officer, Office of the Chief Human Capital\nOfficer, Office of the Chief Acquisition Officer and PBS, and strong leadership\nwas needed to coordinate everyone\xe2\x80\x99s efforts. With the number of SSOs involved\nin the HSPD-12 effort, an overall Program Manager was needed to direct and\nmonitor the many facets of HSPD-12.\n\nThe Need for a Detailed HSPD-12 Implementation Plan\n\nOn July 11, 2006, the PMO issued a business plan that detailed GSA\xe2\x80\x99s\nalternative strategies to perform card issuance services internally as well as\ncontracting out these services to a vendor, such as through the MSO. Once the\ndecision was made to utilize the MSO Service contractor, a substantial part of the\nbusiness plan became obsolete; however, a revised plan was not developed. On\nMarch 19, 2007, the PMO issued a GSA HSPD-12 Implementation Overview.\nPer the PMO, \xe2\x80\x9cThis document is a high-level overview combining GSA\xe2\x80\x99s HSPD -\n12 internal project plan and implementation plan and depicts the overall effort,\ntimeline and projection of card issuance costs through FY \xe2\x80\x9808.\xe2\x80\x9d While this does\nprovide a basic strategy for implementing HSPD-12, as the new MSO contractor\ncomes on line and the technology for physical access controls becomes better\ndefined a more detailed plan needs to be developed.\n\nA detailed implementation plan is needed to ensure the success of the overall\nHSPD-12 program, as there are several issues that need to be addressed. For\nexample, maintaining the operations of physical access control systems during\nthe HSPD-12 PIV transition period is an area of concern. Currently, multiple\n\n\n\n\n                                        8\n\x0cGSA Regions utilize Smart Card reader based physical access systems4. In\naddition, due to the multi-year deadline for full transition to the PIV II cards,\nemployees with less than 15 years service may receive PIV II cards prior to\nemployees with more years of service. To continue operating physical access\ncontrol systems during the transition period, all employees within a building or\noffice using Smart Card readers will still need the legacy GSA Smart Card. As a\nresult, GSA may have to not just maintain, but also continue to issue legacy GSA\nSmart Cards to new employees until all building occupants have been provided\nPIV II cards and current access systems have been updated or replaced by\nsystems that are PIV II compliant.\n\nAlthough it is difficult to develop a final detailed implementation plan without the\nMSO contract vehicle in place, the issues surrounding the transition to, and\nimplementation of, the PIV II card need to be addressed. As such, in developing\nand maintaining a detailed implementation plan, consideration will need to be\ngiven to how existing GSA functions will be impacted as the MSO contractor\nbecomes fully operational. Currently, GSA credentialing officials are responsible\nfor several tasks related to GSA card registration. Depending on the services\nprovided by the MSO, some tasks might shift to the MSO Service contractor. If\nso, the role of the credentialing official will need to be assessed and the\nimplementation plan updated to reflect any changes.\n\nAbsence of a Centralized Contractor Database\n\nAs noted previously, OMB memorandum \xe2\x80\x9cImplementation of Homeland Security\nPresidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard\nfor Federal Employees and Contractors\xe2\x80\x9d (M-05-24), dated August 5, 2005,\nrequires agencies to issue PIV cards to all applicable contractors by October 27,\n2007. Effective January 3, 2006, Federal Acquisition Regulation (FAR) Parts 2,\n4, 7, and 52 were revised to require solicitations and contracts to include\nrequirements that contractors who have access to Federally-controlled facilities\nand information systems comply with the agency\xe2\x80\x99s personal identity verification\nprocess. In response to these changes, a letter was issued by the GSA Chief\nAcquisition Officer, effective February 3, 2006, instructing all GSA contracting\nassociates to include the FAR clauses as well as any agency specific guidance\nfor personal identity verification in all solicitations and contracts issued and\nawarded on or after October 27, 2005. In addition, contracts awarded prior to\nthis date that are still active (more than three months from expiration) must be\nmodified by October 27, 2007, to include the FAR clauses as well as any agency\nspecific changes in accordance with the implementation of FIPS 201 and OMB\nmemorandum M-05-24.\n\n\n\n4\n  Card readers using the GSA smart card credential are used for building and/or office access in\nthe New England, Mid-Atlantic, and Rocky Mountain regions. The Northeast & Caribbean region\nuses its own unique smart card credential for access to several buildings in New York City.\n\n\n                                               9\n\x0cWhile the PMO estimates that there are 13,000 embedded contractors and\n50,000 PBS contractors, there is no centralized database that contains a record\nof all GSA contractors requiring the level of physical and systems access that\nnecessitates favorably adjudicated background investigations and fingerprint\nchecks. Because of this, GSA\xe2\x80\x99s Background Investigation Division is unsure of\nthe true number of contractors, and correspondingly, unsure whether all\ncontractors will have background investigations completed by the OMB deadline.\n\nGSA has utilized embedded contractors prior to the requirements of HSPD-12.\nMany of these contractors may have current physical and systems access\nwithout having the level of background checks required by HSPD-12.\nConsequently, given the impediments to full realization of the goals of HSPD-12,\nembedded contractors may have physical and logical access far beyond the\nOMB deadlines. As such, GSA needs to expedite background investigations for\nembedded contractors that currently have access to GSA systems.\n\nThe PMO has raised concerns in this area, noting that there are five sources\ncontaining information on contractors, all with different populations and data\nformats. Consequently, the PMO proposes the establishment of a contractor\nidentity management system, with mandatory enrollment for all current GSA\ncontractors. We agree with the need for a contractor identity management\nsystem and recommend that such a system be put into operation.\n\nConclusion\n\nAlthough GSA has met OMB\xe2\x80\x99s first two deadlines and it continues to move\nforward in such areas as processing employee and contractor background\ninvestigations, developing plans for logical and physical access, and updating\ngeneral HSPD-12 policies, GSA will likely not meet OMB\xe2\x80\x99s October 27, 2007\ndeadline as a result of the late award of a MSO Service contractor and the limited\nPIV card production capability of that contractor. In addition to the MSO Service\ncontractor limitations, GSA is faced with other obstacles affecting its ability to\nimplement HSPD-12 such as the absence of a centralized database for\ncontractor information and the need for a detailed HSPD-12 implementation plan.\nTo ensure that GSA meets future OMB deadlines and implementation of HSPD-\n12 as envisioned by the President, the Chief Information Officer should have the\nPMO Manager and HSPD-12 stakeholders work together to establish a detailed\nimplementation plan outlining how GSA plans to implement HSPD-12 in its\nentirety and establish a contractor identity management system, while expediting\nbackground investigations for embedded contractors.\n\nAs the OMB deadlines draw near, there also is a distinct possibility that\nbackground investigations processed by the Office of Personnel Management\n(OPM) may become backlogged. Within GSA alone, background investigations\nfor employees, and contractors could reach over 67,000. However, this number\ncould be over/under estimated due to the fact GSA does not have a centralized\n\n\n\n                                       10\n\x0cdatabase that tracks the number of actual GSA contractors. When taking into\naccount all the other government agencies needing background investigations,\nthere is a good possibility of a backlog at OPM. While employees and\ncontractors can obtain limited access to GSA facilities and computer systems\nwith an acceptable fingerprint check, full access to internal computer systems will\nnot be authorized. Backlogs in the performance of background investigations by\nOPM will have a direct impact on agencies ability to accomplish their mission.\n\nRecommendations\n\nWe recommend that the Chief Information Officer take steps to ensure the\nsuccessful implementation and management of HSPD-12 initiatives by:\n\n1. Developing a detailed implementation plan outlining how GSA plans to\n   implement HSPD-12 in its entirety; including how it will utilize the MSO\n   Service contractor and implement logical and physical access throughout\n   GSA.\n\n2. Establishing a centralized contractor database. Enrollment in this system\n   should be mandatory for all current and future contractors.\n\n      a. Expediting background investigations for embedded contractors that\n         currently have access to GSA systems.\n\n\nManagement Comments\n\nManagement concurred with the report findings. The Chief Information Officer\xe2\x80\x99s\ncomments to this report are included as Appendix A.\n\nManagement Controls\n\nA review of management controls was not performed due to the limited number\nof PIV II compliant cards currently issued. It is planned that testing of the\nmanagement controls will be conducted in a subsequent review when the new\nMSO contractor has been established.\n\n\n\n\n                                        11\n\x0cAPPENDICES\n\x0cAPPENDIX A\n\n                REVIEW OF THE IMPLEMENTATION\n                    OF HOMELAND SECURITY\n                  PRESIDENTIAL DIRECTIVE 12\n               REPORT NUMBER A060195/O/R/F07013\n\n             Management\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                A-1\n\x0cAPPENDIX A\n\n\n\n\n             A-2\n\x0cAPPENDIX B\n\n                          REVIEW OF THE IMPLEMENTATION\n                              OF HOMELAND SECURITY\n                            PRESIDENTIAL DIRECTIVE 12\n                         REPORT NUMBER A060195/O/R/F07013\n\n                                       Report Distribution\n\n\n\n                                                                                               Copies\n\nOffice of the Chief Information Officer (I) ......................................................... 3\nOffice of the Chief Human Capital Officer (C) ................................................. 1\nOffice of the Chief Financial Officer (B) ........................................................... 2\nAssistant Inspector General for Auditing (JA, JAO) ......................................... 2\nAssistant Inspector General for Investigations (JI)........................................... 1\nBranch Chief, Audit Follow-up and Evaluation Branch (BECA) ....................... 1\n\n\n\n\n                                                   B-1\n\x0c'